InWork Global

HIPAA-Aware Development

Healthcare platforms built HIPAA-aware — by design.

InWork Global is a technology development and marketing firm. We are not covered entities under HIPAA, but we act as Business Associates when building systems that process Protected Health Information — and we sign a BAA before any such engagement.

HIPAA-awareBAA availableAES-256 at restTLS 1.3 in transit
Talk to our healthcare teamRequest a proposal
HIPAA-aware healthcare platform architecture

Important disclosure

When a BAA is required.

InWork Global is a technology development and marketing firm. We are not covered entities under HIPAA. However, we can be Business Associates when building systems that process Protected Health Information (PHI) for healthcare clients.

If InWork builds a system that touches PHI — patient names, health conditions, appointment details, treatment records — a Business Associate Agreement (BAA) is required. We maintain BAA templates and sign them for covered engagements. HIPAA-awareness is designed into the architecture; it is not retrofitted after launch.

HIPAA-aware architecture

Four practices we design in from the start.

Healthcare technology has requirements generic vendors consistently miss. We design for them at the architecture level — before a line of code is written.

Data segregation

PHI is never mixed with marketing analytics data. Separate infrastructure for PHI-touching systems, and no PHI in log files, analytics platforms, or debug output.

Encryption

AES-256 at rest for all PHI-containing databases, TLS 1.3 in transit, and encrypted backups with restricted access.

Access control

Minimum necessary access to PHI, MFA required for PHI system access, an audit log on all PHI access, and immediate access revocation on team change.

Analytics & marketing

Server-side event tracking with no PHI in browser pixels, PHI-scrubbing middleware before any analytics event fires, a signed BAA with platforms where PHI might be processed, and HIPAA-aware GA4 implementation.

Compliance architecture

HIPAA-aware by default — not retrofitted.

Signed BAA required before any PHI-touching integration
PHI never appears in Meta Pixel, Google Analytics, or any ad-platform event
Separate PHI-handling infrastructure from marketing analytics
Server-side event tracking with PHI-scrubbing middleware
AES-256 encryption at rest, TLS 1.3 in transit
Role-based access control with audit logging on all patient-data access
Data breach response procedure with notification to the covered entity
Patient data export (HIPAA right of access) and retention/destruction policy

Breach notification

A response procedure, ready in advance.

InWork maintains a data breach response procedure. In the event of a PHI breach, we notify the covered entity within the timeframe required by their breach response plan — typically within 30 days, with immediate notification for high-risk breaches.

HIPAA-aware

BAA available · compliance by design

We design for HIPAA awareness at the architecture level, sign a BAA with every party that touches PHI, and keep clinical claims out of all AI outputs. We do not hold formal HIPAA certification — HIPAA-aware development with a BAA is what we deliver.

Related

Healthcare TechnologyPatient-first platformsCompliance & SecurityFull regulatory coverageSOC2-Aligned SecurityControls & postureGDPR-Aware ArchitectureData privacy by design
Healthcare technology specialists

Build patient-first technology with confidence.

HIPAA-aware architecture, a BAA when PHI is involved, and US oversight on every engagement. Tell us what you're trying to ship.

Integrity. Urgency. Ownership.

Talk to our healthcare teamRequest a proposal

40+ US businesses served · 65+ engineers · Zero long-term lock-in

Book a Strategy Call